Data Breach

Hackers don’t go on holiday over Christmas and consequently everyone needs to be more vigilant than usual during this busy time of year were individuals and businesses can be preoccupied.

The theft of data is is very much on the mind of hackers over the Christmas period as this considered to be a prime time where many transactions are undertaken on-line with bank and credit cards in particularly being targeted.

One of most common methods utilized is via Phishing which can occur as follows:-

1.Individuals can be tricked into sharing sensitive data by using a website that is not what it seems

2.Clicking on a dubious website link

3.Responding to an e-mail from a bogus sender.

Risk Management within a business and good cyber hygiene are key to preventing the loss of data and should be practiced at all times irrespective of the time of year.

Some examples of this is as follows:-

Ensure that the latest software patches are installed

Make sure passwords are strong and that they are not replicated by individuals and consider the use of a password manager.

Apply two factor authentiification as this provides and extra layer of protection

Outside of Work individuals should practice the following:-

Individuals should practice similar cyber hygiene and carry out the following :-

Be care when entering your debit or credit pin into a machine whether at a shop or withdrawing cash.

If you some reason you do not feel that things feel right do not go through with a transaction of your computer and check the legitimacy of a website.

Ensure that the website you are in is the actual website and not one that pretends to be the website.

Do not click on links from Facebook or other social media sites unless you know who they are from.

Ensure that your Wi-Fi is secure and password protected with your own password

Look to change the default passwords on new toys or devices that are connected to the internet to help avoid hackers accessing these.

Equifax , one of the largest US credit reporting agencies last week suffered a massive data breach, early indications are that it has affected as many as 143 mllion US customers whilst also impacting on individuals in the UK and Canada. This attack has been further compounded by a subsequent attack in Argentina which again targeted the US.

The incident occurred between May and July this year involving the compromise of social security numbers , birth dates , addresses and driving licence details. In addition to this it is understood that the hackers managed to access 209,000 credit card numbers and other documents disclosing personal identifiable information relating to a further 182,000 customers of Equifax.

The credit reporting agency looks after the data of 44 million British customers for British Gas , BT and Capital One and it is understood that up to 400,000 may have had their details compromised during the breach.

Cyber security consultants have been appointed in order to carry out a forensic investigation to try and ascertain the scope of the hackers intrusion into their systems and exactly what data has been compromised. Action Fraud in the UK have also posted guidance on their website in the event of possible fraudulent activity on UK citizens accounts following this data breach.

Credit Monitoring

All customers affected have been offered credit monitoring and identity theft protection free of charge.

Data Notification

In the US the average per person cost of a data breach is believed to be $225 , with possibly 143 million individuals affected the financial implications of this are extremely high

Cyber Insurance

It is understood that Equifax did take out cyber insurance and this will go some way to mitigate the financial costs associated with such as breach. Other insurance policies may also be able to respond in relation to this loss.

Notification to Regulatory Bodies

This cyber attack has also been reported to the relevant US law enforcement agencies, in addition to this the ICO in the UK has been alerted to assess the implications for UK citizens.

The Consequences of the Breach

Impact on Share Price

It is too early to assess the ramifications of the data breach on Equifax , however the shares of Equifax dropped nearly 9% equivalent to $3.50 billion of their share value.

Executives depart

A few days after the incident it has been announced that the Chief Information Officer and Chief Security Officer would be departing from the business.

What went wrong ?

It is unclear how the initial breach was caused but it is believed that the hackers exploited a vulnerability in a piece of software that could be used with Apache web server program. A patch had been issued to update the software but it appears that this may not have been updated. The more recent incident is believed, according to various reports to have resulted from an online employee tool that enabled “admin” to be utilized for both login and password which then made it possible to gain access to customers data.

The Equifax Factor

The Equifax data breach should be a warning to UK businesses that that need to have the appropriate procedures in order to manage the data that they hold ahead of the implementation of the GDPR on 25th May 2018 . Should such a data breach occur once the GDPR is in force UK citizens would be able to avail themselves of protection under this forthcoming piece of legislation.

The privacy of the transfer of data between the UK and US received a boost this week when the European Commission announced that political agreement had been reached on what is effectively a replacement of the Safe Harbor, known as the “Shield Decision”. A Working Party has subsequently published their initial reactions which the European Commission must take into account if the Working Party does not agree with “The Shield Decision”. In the event that that national data protection authorities refuse transfers on the basis of this decision this will be raised to the European Court of Justice.

This is the result of three months of negotiations between the EU and US after the fall of the Safe Harbor agreement that existing up until October last year. The deadline of 31st January was missed as negotiations over run with both parties failing to agree new privacy boundaries.

In the meantime it is understood that local data protection authorities will continue to accept standard contractual clauses and binding corporate rules for transfers of data to the US, providing privacy protection between these countries.

The main obligations imposed on firms handling Europeans personal data are as follows:-

US firms will need to commit to “robust obligations” on how personal data is processed and individual rights guaranteed . This will be monitored by the US Department of Commerce.

Clear safeguards and transparency obligations will be imposed on the US Government which will set out specific limitations for law enforcement and national security reasons

There will be protection for EU citizens rights with options for redress. This will include avenues for citizens who feel the privacy of their data has been misused with strict guidelines for response to complaints

It is by no means “home and dry” , in addition to the Working Party involvement , Europe’s national privacy agencies meet to pass their own judgement on how data can be safely moved from the EU.

How does this impact on the cyber insurance market and insurers perception of data being at risk ?

It is too early to assess the impact of this decision , especially as the “Privacy Shield” has some way to go before being fully ratified , but any privacy protection laws and regulations assists cyber insurers in being more comfortable with the associated risks of loss of personal data and individuals privacy.

Is the healthcare sector the next target in the UK for hackers to bring about a major data breach?

In the US over the past year there have been a number of high profile and costly data breaches, the largest of which was suffered by the health insurer , Anthem Inc where 80 million personal records were stolen, in addition to this there were four other known multi-million record data breaches in this sector. In the UK the number of data breaches so far have been small in comparison and have been limited to loss of laptops and USB’s causing minor data breaches.

According to the 2015 Global Ponemon Institute Study on data breaches there are signs of a significant increase in cyber attacks in the healthcare industry . The study identified that 91% of healthcare organizations have been subject to one data breach. Cyber attacks in this sector were also up by 125% from 2010 to 2015.

So what types of data are stored by these bodies that would make them attractive to a hacker ?

Patient Information

Medical records

Test Records

Appointment information

Medical insurance details

Credit card and bank card details

Employee Information

National Insurance records

Salary details

Bank details

e-mail addresses

telephone numbers

In addition to this these bodies are likely to be dependent on third parties who may provide or store some of this data.

Where would a possible threat come from that might cause a data breach ?

Insider Threats

Employee negligence where as a result of an error causes a security failure or they carelessly leave a lap top on a train

Employee ignorance where inadvertent disposal of personal data occurs or perhaps a lack of training and awareness

A malicious employee who may be unhappy and wishes to cause disruption

Outsider Threats

Hacker attack which can take the form of many methods such as by the injection of malware into a computer system or the bringing a phishing attack.

Theft being caused as a result of social engineering tool to disguise e-mails that may lead to an extortion threat in an effort to release data.

Third party vendors who may have been breached themselves and caused a subsequent data breach to the primary entity.

Why are healthcare records being targeted by hackers?

Healthcare records are worth 5 times more than the value of credit cards

Credit cards can be cancelled

The value of healthcare data can be utilized for a wider variety of purposes

What are the end use for healthcare records?

Personal Identity Theft

Financial Identity Theft

Various forms of insurance fraud

The falsifying of prescriptions

The Healthcare sector in general has a number of challenges including the management of on-going conversion from paper records to digital files and maintaining of computer security that constantly require updating to keep pace with the technology that hackers now possess.

Aside the threat of a data breach is the threat that more medical devices are connected to the network and the ensuing connection to IP networks which exposes devices to more cyber attacks. The “Internet of Things” is also a real threat to this sector and more so to patients where there is an ability to hack medical devices like insulin pumps or pacemakers.

Cyber liability insurance can play an important role to help mitigate a serious data breach and should be a important consideration by organizations in this industry. This sector is perceived to be in a high risk category by the insurance market and it is therefore an area that cyber security consultants can add considerable value here to help insurers assess the relative exposures and offer commensurate premium and terms.